Using VPN connection with 2FA instead of ssh for cardano nodes

Hello friends, i was wondering if it is better for me to use a VPN connection with integrated 2FA to my servers (nodes) instead of configuring ssh on all nodes? I want to buy a microtek router that has a support for VPN with 2FA authentication and also has firewall where i will just allow the ports that are needed for running a node. Also the router as i have seen has a good firewall that shows failed logins and can make rules there to block an ip if has more than X attempts. Is that better than configuring the linux firewall and ssh with 2FA? I mean i will double configure the 2FA for my nodes but the ip blocking and connection to be made from my router?

1 Like

If through this router is the only way to connect to the nodes, and you control all the nodes behind this router, you can deactivate the firewall and the 2FA on the linux machines and block all the ports except the cardano ports on it. One 2FA (when you connect to the VPN with 2FA) required for administrative connections to the linux machines is enough.


That is basically what I do. Except that my router is just a computer with multiple network sockets running linux and the firewall is nftables.

I too was a bit paranoid about leaving the ssh port visibly open on the firewall and so instead made it only accessible via a wireguard vpn. Even though my ssh only allows key based authentication, I didn’t want script kiddies continually hitting my open ssh port. Now they need to go via my wireguard port and it is silent unless they send it packets encrypted with the correct wireguard key. So, if they get the wireguard key (which is essentially just a configuration line and so could be copied from a hacked machine) but they still need the ssh key. And, my ssh key is protected on a hardware smart card and not stored anywhere else.

The weak point is still the keys and so you need to protect your ssh key so that it can’t be copied. Just like everyone recommends hardware wallets for your crypto keys, we should be using hardware devices to protect our ssh keys. All ssh authentication is then done on the hardware smart card. You will have the equivalent with your 2FA setup.

Do you run your machines on encrypted filesystems? If not then someone can physically steal your computer and copy all your keys stored on the filesystem. If you use encrypted filesystems, have you figured out a reliable way to allow remote booting and still enter the decryption key for the filesystem? One way is to use dropbear ssh in an initramfs but then you have your ssh port open when in the initramfs stage. Or do you just make it so that you physically have to be next to the machine to reboot it?

1 Like

As far as i know the ssh private key when is generated is made to not be copied without administrator rights… Also the ssh key has password when created… Won’t that be enough? Also i store the ssh private key on a usb encrypted with bitlocker… Anyway if they steal my ssh key and get the password they won’t have access with the 2FA because i use time based auth… Hmm about the remote booting… I think i would not use the remote booting if it is not that secure… And where can i get a hardware smart card? I do not have one… i read something about PIV or CAC smart cards. Are those ok?

1 Like

If someone cracks into your machine they will copy the file.

The cracker will use a keylogger to log your password.

Everyone knows about using a hardware wallet to protect their crypto keys but very few people seem to use hardware devices to protect their gpg and ssh keys. Just as a crypto wallet does the signing of transactions on the hardware device so does a smart card sign with GnuPG keys. The key never leaves the hardware device and so it cannot be copied even if used on a hacked machine.

That makes things much more secure especially if the 2FA device is a hardware device like a Yubikey or better still, a Gnuk Token: (FOSDEM 2019 - FST-01SZ (Flying Stone Tiny 01 revision ShenZhen))

This blog provides some more detail: